This decorator will sort the parameters and headers out, and
pre validate everything:

@app.route('/oauth/authorize',methods=['GET','POST'])@oauth.authorize_handlerdefauthorize(*args,**kwargs):ifrequest.method=='GET':# render a page for user to confirm the authorizationreturnrender_template('oauthorize.html')confirm=request.form.get('confirm','no')returnconfirm=='yes'

A verifier is better together with request token, but it is not
required. A verifier is used together with request token for
exchanging access token, it has an expire time, in this case, it
would be a better design if you put them in a cache.

This decorator will sort the parameters and headers out, and
pre validate everything:

@app.route('/oauth/authorize',methods=['GET','POST'])@oauth.authorize_handlerdefauthorize(*args,**kwargs):ifrequest.method=='GET':# render a page for user to confirm the authorizationreturnrender_template('oauthorize.html')confirm=request.form.get('confirm','no')returnconfirm=='yes'

This decorator is only required for password credential
authorization:

@oauth.usergetterdefget_user(username,password,client,request,*args,**kwargs):# client: current request clientifnotclient.has_password_credential_permission:returnNoneuser=User.get_user_by_username(username)ifnotuser.validate_password(password):returnNone# parameter `request` is an OAuthlib Request object.# maybe you will need it somewherereturnuser

This method is used in the authorization code grant flow. It will
compare redirect_uri and the one in grant token strictly, you can
add a validate_redirect_uri function on grant for a customized
validation.

This method is used in the authorization code grant flow and also
in implicit grant flow. It will detect if redirect_uri in client’s
redirect_uris strictly, you can add a validate_redirect_uri
function on grant for a customized validation.

You can omit any model if you wish to register the functions yourself.
It is also possible to override the functions by registering them
afterwards:

oauth=OAuth2Provider(app)bind_sqlalchemy(oauth,session,user=User,client=Client,token=Token)@oauth.grantgetterdefget_grant(client_id,code):pass@oauth.grantsetterdefset_grant(client_id,code,request,*args,**kwargs):pass# register tokensetter with oauth but keeping the tokengetter# registered by `SQLAlchemyBinding`# You would only do this for the token and grant since user and client# only have getters@oauth.tokensetterdefset_token(token,request,*args,**kwargs):pass

Note that current_user is only required if you’re using SQLAlchemy
for grant caching. If you’re using another caching system with
GrantCacheBinding instead, omit current_user.